Photo by David von Diemar on Unsplash
Cyber-villains Targeting Office 365 and G-Suite users (Monday)
Given the impacts of COVID-19 and Working from Home a necessity for many in the industry; cyber attacks this week have leveraged vulnerabilities in well known brands including the RAC. The article has good advice for Security and Operations teams to configure their mail-filters appropriately:
Tesla AutoPilot can be tricked with subliminal messages (Monday)
A couple of frames in a hacked video billboard video can trick a Tesla into taking inappropriate action:
In new research, they’ve found they can pull off [the] trick with just a few frames of a road sign injected on a billboard’s video.
Which serves to remind us that new technology comes with new threat actors, risks and controls to consider.
Enterprise of Things Emerge as as a “new” Risk Vector (Monday)
CIOs, CISOs and CSOs need to give more attention to devices connected in the enterprise, these forgotten assets can and have been used as attack vectors in recent years. Given the way of the world for the past few years, I’m expecting everything to be “internet connected” and from my own experience these devices don’t always play nice when you put controls in place.
If imitation is the sincerest form of flattery, Microsoft should be pretty pleased right now (Tuesday)
In new research from Check Point, Microsoft topped the chart of the most impersonated brands. It’s not surprising with the increase in use of Microsoft 365 that they become a juicy target.
National Security Agency releases top 25 vulnerabilities exploited by State Sponsored Actors (Wednesday)
Just in case you weren’t convinced that the “State Sponsored Actor” was a real threat, the NSA have published a list of the 25 vulnerabilities that are most likely to be attacked by Chinese State Sponsored threat agents. There is always a little bit of guess work in deciding if a group is state-sponsored as they are in general not employees of the Chinese Government so its more of a list of attacks originating from China than anything else; probably not a bad idea to check you have applied relevant patches.
Small Screens, Big Problems (Wednesday)
The issue with URL bars on small screens has again raised it’s head in the form of vulnerabilities that obscure security signals to users due to the lack of screen real estate.
Old malware distributors learn new tricks (Wednesday)
SANS has been tracking some odd looking e-mails, which appear to contain accurate information about shipping of goods, many of the details appear accurate from a cursory investigation. However the attacker gives themselves away by attaching a .cab file to the e-mail containing the Agent Tesla malware.
Minorities in CyberSecurity don’t get the same opportunities as White Men (Wednesday)
This is a problem, not just for minorities, but for everyone. Diversity builds resilience and avoids group think, if you have a team of White Men you are subjecting yourself to only being able to achieve a local maxima. We all need to think about how to build diverse organisations and not exclude any one facet of society.
Cybersecurity is a cash sink hole until the moment it isn’t (Thursday)
In the 2020 Akamai State of the Internet / Security Report one author makes the comment:
Cybersecurity is a Low-ROI Business Case, Until a Breach
Which cleverly draws out a key point, that actually applies to most of the IT industry. All of the work that you, or I, do is often only visible when it is absent — the loss events we are trying to avoid are low-frequency, high magnitude — therefore if we underinvest in these areas all we are doing is increasing the probability or magnitude of something bad happening in the future.
FIRST publishes ethics guide for Cybersecurity Incident response teams (Thursday)
Ethics is important, ethics is the higher standard that we should all hold ourselves to. In 1970 Milton Freidman argued that “businesses’ sole purpose is to generate profit for shareholders” — A Simon Sinek would say, “what about ethics”. Handling cyber security incidents is fraught with ethical questions, it’s good to see FIRST have risen to the challenge to raise the interests of ethics in Cybersecurity conversations:
Auditing of Cloud Applications is a must in a Work From Home Economy (Thursday)
Inexperienced IT teams commonly struggle with cloud services, often due to an overreliance on the ‘Castle’ model to defence, also known as “Build a big wall”. In the cloud you have many walls surrounding each service, not the whole organisation — as an industry we do need to do more to support safe cloud adoption and a set of guardrails make a lot of sense in this context.
New vulnerability scoring systems focus on customers not exploitability (Friday)
In the US the Food and Drug Administration, part of the US Federal Government has come up with a new vulnerability scoring system that, unlike CVSS focuses on the impact on the patient. CVSS, partially because of it’s ubiquity, has come under fire because it doesn’t represent the aggregate threat landscape.
Sooty the SOC API client (Friday)
Finally this week, I had a play around with Sooty to automate some of the work I do when suspect e-mails come in. I have a write up for how to install it on WSL2.